PDA

View Full Version : Quadro using 20 meg a day data with no calls



russell
03-07-2008, 03:18 AM
After first installing the Quadro 2X unit I noticed something that has never been present with any other VOIP PABX we have tried.

A steady constantly pulsing light on the router ethernet port that the 2X was plugged into and also on the WAN port.

On further investigation using the ADSL modems tools the 2X unit has a continuous steady 2Kbps upload and download. thats around 20 meg a day with no phone calls.

What's is this continuos stream of data ? and can it be reduced ?

AramK
03-07-2008, 04:35 AM
The traffic generated by Quadro can have different reasons. Here are most common ones.

1. You have big amount of extensions on Quadro registered on internal SIP server.
solution: delete/unregister unused extensions.
2. Your ITSP reguires a very small timeout for SIP registration.
solution: insrease registration timeout.
3. STUN server is unnecessarily enabled on Quadro and due to failure it's not stopping port scanning.
solution: Disable STUN server.

Then can be another reasons too. Check these 3 points first, then we'll continue our investigation if needed.

russell
03-07-2008, 05:05 AM
1) re extensions and sip server , I have disabled all external SIP registration for extensions and we are talking 20 meg a day to the WAN internet external to the ADSL modem

it is not a connection every 60 seconds or 30 seconds .... it is a steady continual 2Kbps upload and 2Kbps download ... the modems traffic tool shows a steady traffic rate of 2Kbps to and from the 2X unit

2) ITSP not sure where to look for this setting on the ITSP extension

3) even if STUN where active would it not be every 30 or 60 seconds etc ... this is a steady data stream.

I looked at the STUN setting but could not see where to turn it off

AramK
03-07-2008, 05:37 AM
1. OK

2. Check the page "Telephony -> SIP Settings" page, SIP timers table.

3. You can disable NAT Traversal (STUN/Manual NAT) from "Telephony -> NAT Traversal Settings" page. I was talking about unnecessarily enabled STUN, when there is no need for STUN to be enabled. In that case if STUN isn't detecting the ports correctly, it will continue port scanning with small intervals and can produce such traffic. You can see the detected connection type by STUN from "System -> Status -> SIP Registration Status" page, in the very bottom.

Is there any other devices connected on Quadro LAN side or to the same ADSL line ?

russell
03-07-2008, 05:46 AM
2) SIP timers are set to standard

3) NAT traversal was set to automatic , I have turned this OFF (made no change)

The Quadro LAN has nothing but IP Phones 6 off them 3 Snom, 1 Aastra , 1 x Grandstream , 1 x Polyvom

this continual traffic was not present before the Quadro was on the LAN. But I did have it auto configure all the phones (except the Grandstream)

AramK
03-07-2008, 05:48 AM
It can't be connected to IP-Phones, because they are registering on Quadro. Can you explain the following sentence - "this continual traffic was not present before the Quadro was on the LAN" ?

AramK
03-07-2008, 05:55 AM
Can you run a capture between Quadro WAN side and ADSL modem, to see what traffic is there exactly and to what IPs ? There is another suspect that you Quadro is under port scanning/attack from outside.

russell
03-07-2008, 03:13 PM
"this continual traffic was not present before the Quadro was on the LAN"

I mean prior to installing the Quadro this was not happening

Re port scan: this started happening immediately when the unit was installed so I would guess that a port scan would not be so fast

I have got IDS turned on and there have been one or 2 reports of a port scan but the logs show that it is certainly not continuous.

russell
03-07-2008, 03:21 PM
OK found the source.

On my ADSL modem I can block traffic ... I blocked the 2Kbps stream and the connection to the main office Asterisk server stopped working.

My question now is ... Once you setup a VOIP provider (ITSP) where on the Quadro can you change the time settings for the ITSP, obviously for some reason there is a continuous 2Kbps between the 2

I have had this same peer setup before between 2 asterisk servers and this traffic does not occur so I am guessing it's generated from the Quadro end.

AramK
03-10-2008, 06:57 AM
Very strange ... Network capture is needed to determine what kind of traffic is there and who is the originator, then find the reason of that traffic and the ways of eliminating it.

KSComs
03-11-2008, 02:57 AM
Russell,

Sounds like Asterisk trunking the keep alive from and to the ITSP to check whether or not a routed call can be established.

Russell are you sure it wasnt prevalent before, or does the ITSP mask the conversation between you and them? Maybe they are doing that and it has never been an issue till now when you try and do it from one Broadband supplier to another.

Ie.. same provider to you might be free, but you to another provider and it is chargeable / cuts into your bandwidth allocation.

Either way, there has to be a conversation to ensure that the call route is establishable.

Regards

Kevin

russell
03-11-2008, 03:45 AM
Russell,

Sounds like Asterisk trunking the keep alive from and to the ITSP to check whether or not a routed call can be established.

thanks

But the connection is between the remote Quadro and our main office Switchvox server. All other ISTP trunks are fine ... only the asterisk trunk thats doing it. The Asterisk SIP time I believe is the standard 60 seconds so strange that it is continuous

I have set this up as a PEER in sterisk , I have yet to try it as a Provider rather than peer, will see if that makes any difference

AramK
03-11-2008, 04:08 AM
Guys, everything you've said here is only guesses. I've suggested to do a network capture in my last comment to determine what kind of traffic is there and who is the originator. It is much more easy than experiment with different setups or blindly change some settings on the devices.

russell
03-11-2008, 05:48 AM
I dont have the facility to do a network capture

AramK
03-11-2008, 06:04 AM
You can download and install the Ethereal - a free network packets analyzer (http://www.ethereal.com/download.html) on some PC/notebook and place ir between Quadro and Asterisk to do a network capture.
You can also use Quadro embedded capture tool, that is placed in hidden page and can be accessed by "http://Your_Quadro_IP/netcapture.cgi" page. Select "WAN interface" and "Capture All Packets" option and start capture. Then stop the capture and download the capture file. At the end remove the capture to free up your Quadro's memory.

russell
03-11-2008, 03:34 PM
OK did the capture ... seems to be a constant NTP stream ?

Screen shot attached

Also I had an entry

Source: x.x.x.x "the Quadro"
Destination 76.203.76.25
Type: SIP
info: request: register portalphone.net

I dont use portalphone.net so why would the Quadro be trying ti register ??

AramK
03-12-2008, 02:55 AM
In the picture I can determine the IP Address of Epygi Mail Server. It is very strange, because by default we don't put any mail address in Quadro settings. Could you please go to "System -> Mail Settings" and see what is configured there ?
Regarding portalphone.net - is there any account registered on your Quadro, or some PC in Quadro LAN side, that can produce that traffic ?
Also, could you please send the systemlogs from your Quadro to me ? I'll send my e-mail address via PM. It will be good to look at the logs, maybe I'll find other problems too. Quadro logs can be downloaded from "System -> Diagnostics -> Show System Logs -> System Logs Settings" page by pressing "Download all logs" button. First check the "Enable Developer Logging" option, then wait for some minutes (10-20 min, to be sure that the traffic will present in the logs) and then download the system logs.

russell
03-12-2008, 05:08 AM
Mail ? I thought it looked like a lot of NTP activity (time server)

I'll email the logs

AramK
03-12-2008, 05:55 AM
Russell, the matter here is that Epygi STUN server is also placed on the same machine as Epygi Mail Server. In the logs sent by you I can see a lot of STUN activity that can produce such traffic as you have currently in your network. It is not traffic between Quadro and Asterisk. In the first comment I warned you that such traffic can be produced by STUN and you've stated that you've disabled STUN on Quadro, but I can see in the logs that it isn't. More, if you'll disable STUN, you probabaly can't make any SIP calls from Quadro, because Quadro STUN detected Port Restricted NAT and Blocked UDP sometimes in your network. Please go to "Telephony -> NAT Traversal Settings -> General Settings" page and set the NAT Traversal state to "Disable", then see is the traffic continues.

russell
03-12-2008, 03:52 PM
I have forwarded all SIP and UDP ports to the Quadro unit ? should that not mean I don't need stun ?

I had previously turned stun off to see if it made any difference , it did not so I tuned it back on. (this was without a reboot)

What I had not been doing (not sure if needed) was rebooting the Quadro after making such stun changes etc.

I turned STUN back off , rebooted and as you said I could no longer make calls. (this did not occur last time when I turned stun off but did not reboot)

I am a little confused .. I thought that if you port forwarded all the correct ports on the router to the Quadro then you did not need STUN ?

The traffic was not present for a few min after reboot but then it started again. I can live with 20meg a day data traffic BUT would like to know if it's necessary or needed.

AramK
03-12-2008, 03:59 PM
Russell, having 20meg traffic is not normal and you are not obligated to live with that. What I want is to help you to find the source of the traffic and get rid of it.

There is no need to reboot Quadro after STUN status changes, as well as after other configuration changes. If there will be a need for reboot, you'll receive a notification. If you've configured your NAT device correctly and forwarded all the SIP/RTP ports to the Quadro correctly, then sure there is no need for STUN to be enabled on Quadro, but you need to use Manual NAT Traversal.

Can you send me a new logs for examination with STUN off ?

russell
03-12-2008, 04:24 PM
will do, i'll turn stun off and get logs and also with stun on

AramK
03-24-2008, 01:01 AM
Update:
The problem was mainly caused by one of IP-Phones located in Quadro LAN, sending 2 NTP requests per second. Probably it was configured manually. Also STUN activity was producing some traffic.